'IT companies may function like pharma companies'

by Ashwani Mishra    Sep 08, 2011

Dr. Whitfield Diffie considered as the father of public key encryption and cryptography was recently inducted into the National Inventors Hall of Fame (USA) in Washington D.C. He previously worked at Sun Microsystems as Chief Security Officer and Vice President. Currently, he is on the Scientific Advisory Board of Uniken and also a fellow of the Marconi Foundation and visiting fellow of the Isaac Newton Institute.Dr Whitfield Diffie

Cxotoday.com caught up with him on the sidelines of the Securitybyte 2011 conference in Bangalore where he shared his views on various security topics.

Q] What’s your view on having cyber deterrents to mitigate threats in the cyber world?
Defending is not much fun than being in action and attacking. There is a lot of talk in the US around cyber deterrents and I am quite skeptical about it. We had nuclear deterrents and that was not a good idea. It is still not clear whether having a deterrent in cyber space will be feasible. We need to learn and explore the cyber world more before getting ahead with such deterrents.

The other thing about offensive action is that it is more expensive. The reason behind this is the technology used for offense is separated from the general technology that is profitable and socially valuable over a broader spectrum.

The Internet is without doubt a medium of intelligence and in some sense affects ones daily lives. More specifically so, if you are running military organizations. This is because there is an important information loop which focuses on command, control and management of these organizations. This loop goes around planning to observation to action. There is an analogy that if an opponent moves around this loop faster they will always have an upper hand.

Q] Few governments around the globe including India have asked some communication providers to share encryption keys to access messages. Your take on this?

I think it is the view of governments and the right that they grant to citizens. On a personal note I believe in rights of personal communication. Despite understanding the motivating factor for governments to ask for this, I am very hostile to it.

I think that IT companies will become like drug companies. Software and drugs have similar economic characteristics. They have high cost of development for a low marginal cost of production.

However, in regulation they are very different. Drug companies have to seek permission every time for manufacturing various medicines. Did a Facebook seek any such permission? We do not want an FDA like approval for new software.

I am worried because seeking such information will be a setback, especially for start ups as it will increase their cost as they need to have in-build machinery within their solutions/software to provide such information.

Q] For the past couple of years there has been a lot of talk around cloud computing. We have seen some adoption across the globe and many enterprises continue to evaluate the cloud for their infrastructure. From a security point of view what are the key concerns?

For the IT department, the cloud will look as a bricks and mortar contract model. We are entering an age which has good and bad policies and we may see a lot of secrecy from service providers.

Take the example of Google. The vast body of software that Google runs for its customers is not shared with others. They (Google) will even run it for you free or even rent it to you but will not give you the software. It is their decision to keep their trade secret.

This suggests to me that there is a lot of potential for hackers to hack into the system of utility providers, especially start ups that have ventured into this space by offering niche solutions on the cloud.

CIOs need to have a good look at the contracting systems that are offered by the service providers of the cloud overall as well as service level agreements (SLAs) related to data protection and security.

Q] You spoke about keeping security simple. What does that imply?

It is the designers of security solutions that have the onus of keeping security simple.